On 11/16/2015 12:50 PM, Christian Boltz wrote: > Hello, > > Am Samstag, 24. Oktober 2015 schrieb Christian Boltz: >> $subject. >> >> Also adjust test-signal for AARE (it needed a change in >> _compare_obj()) and enable the regex-based tests. > > Here's v2. with the following changes: > - hand over log_event when creating the AARE object > - use self.peer.is_equal() instead of comparing .regex > > Again, just a quick pass but it looks good
Acked-by: John Johansen <[email protected]> > [ 16-signal-rule-use-aare.diff ] > > === modified file ./utils/apparmor/rule/signal.py > --- utils/apparmor/rule/signal.py 2015-11-16 21:26:38.034344249 +0100 > +++ utils/apparmor/rule/signal.py 2015-11-16 21:32:54.104210992 +0100 > @@ -14,6 +14,7 @@ > > import re > > +from apparmor.aare import AARE > from apparmor.regex import RE_PROFILE_SIGNAL, RE_PROFILE_NAME > from apparmor.common import AppArmorBug, AppArmorException > from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, > quote_if_needed > @@ -98,7 +99,7 @@ > elif type(peer) == str: > if len(peer.strip()) == 0: > raise AppArmorBug('Passed empty peer to SignalRule: %s' % > str(peer)) > - self.peer = peer # XXX use AARE > + self.peer = AARE(peer, False, log_event=log_event) > else: > raise AppArmorBug('Passed unknown object to SignalRule: %s' % > str(peer)) > > @@ -182,7 +183,7 @@ > if self.all_peers: > peer = '' > elif self.peer: > - peer = ' peer=%s' % quote_if_needed(self.peer) # XXX use AARE > + peer = ' peer=%s' % quote_if_needed(self.peer.regex) > else: > raise AppArmorBug('Empty signal in signal rule') > > @@ -197,7 +198,7 @@ > if not other_rule.signal and not other_rule.all_signals: > raise AppArmorBug('No signal specified in other signal rule') > > - if not other_rule.peer and not other_rule.all_peers: # XXX use AARE > + if not other_rule.peer and not other_rule.all_peers: > raise AppArmorBug('No peer specified in other signal rule') > > if not self.all_accesss: > @@ -215,7 +216,7 @@ > if not self.all_peers: > if other_rule.all_peers: > return False > - if other_rule.peer != self.peer: # XXX use AARE > + if not self.peer.match(other_rule.peer.regex): > return False > > # still here? -> then it is covered > @@ -235,8 +236,10 @@ > or self.all_signals != rule_obj.all_signals): > return False > > - if (self.peer != rule_obj.peer # XXX switch to AARE > - or self.all_peers != rule_obj.all_peers): > + if self.all_peers != rule_obj.all_peers: > + return False > + > + if self.peer and not self.peer.is_equal(rule_obj.peer): > return False > > return True > @@ -255,7 +258,7 @@ > if self.all_peers: > peer = _('ALL') > else: > - peer = self.peer # XXX use AARE > + peer = self.peer.regex > > return [ > _('Access mode'), access, > === modified file ./utils/test/test-signal.py > --- utils/test/test-signal.py 2015-11-16 21:26:38.034344249 +0100 > +++ utils/test/test-signal.py 2015-11-16 00:14:05.371336371 +0100 > @@ -35,7 +35,10 @@ > self.assertEqual(expected.audit, obj.audit) > self.assertEqual(expected.access, obj.access) > self.assertEqual(expected.signal, obj.signal) > - self.assertEqual(expected.peer, obj.peer) > + if obj.peer: > + self.assertEqual(expected.peer, obj.peer.regex) > + else: > + self.assertEqual(expected.peer, obj.peer) > self.assertEqual(expected.all_accesss, obj.all_accesss) > self.assertEqual(expected.all_signals, obj.all_signals) > self.assertEqual(expected.all_peers, obj.all_peers) > @@ -386,8 +389,8 @@ > ('signal,' , [ False , False , > False , False ]), > ('signal send,' , [ False , False , > False , False ]), > ('signal send peer=/foo/bar,' , [ True , True , > True , True ]), > - #('signal send peer=/foo/*,' , [ False , False , > True , True ]), # XXX > - #('signal send peer=/**,' , [ False , False , > True , True ]), # XXX > + ('signal send peer=/foo/*,' , [ False , False , > False , False ]), > + ('signal send peer=/**,' , [ False , False , > False , False ]), > ('signal send peer=/what/*,' , [ False , False , > False , False ]), > ('signal peer=/foo/bar,' , [ False , False , > False , False ]), > ('signal send, # comment' , [ False , False , > False , False ]), > @@ -413,19 +416,19 @@ > # rule equal strict equal > covered covered exact > ('signal,' , [ False , False , > False , False ]), > ('signal send,' , [ False , False , > False , False ]), > - #('signal send peer=/foo/bar,' , [ False , False , > True , True ]), # XXX several AARE tests > - #('signal send peer=/foo/*,' , [ False , False , > True , True ]), > - #('signal send peer=/**,' , [ False , False , > True , True ]), > - #('signal send peer=/what/*,' , [ False , False , > True , True ]), > + ('signal send peer=/foo/bar,' , [ False , False , > True , True ]), > + ('signal send peer=/foo/*,' , [ False , False , > True , True ]), > + ('signal send peer=/**,' , [ False , False , > True , True ]), > + ('signal send peer=/what/*,' , [ False , False , > True , True ]), > ('signal peer=/foo/bar,' , [ False , False , > False , False ]), > ('signal send, # comment' , [ False , False , > False , False ]), > ('allow signal send,' , [ False , False , > False , False ]), > - #('allow signal send peer=/foo/bar,' , [ False , False , > True , True ]), > + ('allow signal send peer=/foo/bar,' , [ False , False , > True , True ]), > ('signal send,' , [ False , False , > False , False ]), > - #('signal send peer=/foo/bar,' , [ False , False , > True , True ]), > - #('signal send peer=/what/ever,' , [ False , False , > True , True ]), > + ('signal send peer=/foo/bar,' , [ False , False , > True , True ]), > + ('signal send peer=/what/ever,' , [ False , False , > True , True ]), > ('signal send set=quit,' , [ False , False , > False , False ]), > - #('signal send set=int peer=/foo/bar,' , [ False , False , > True , True ]), > + ('signal send set=int peer=/foo/bar,' , [ False , False , > True , True ]), > ('audit signal send peer=/foo/bar,' , [ False , False , > False , False ]), > ('audit signal,' , [ False , False , > False , False ]), > ('signal receive,' , [ False , False , > False , False ]), > > > > Regards, > > Christian Boltz > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
